Protecting Your Organization

Malware at Microsoft: Dealing with threats in the Microsoft environment

Microsoft IT

Microsoft IT provides information technology services internally for Microsoft employees and resources. Microsoft IT manages 600,000 devices for 180,000 users across more than 100 countries and regions worldwide, with approximately 2 million remote connections per month. Safeguarding a computing infrastructure of this size requires implementation of strong security policies, technology to help keep malware off the network and away from mission-critical resources, and dealing with malware outbreaks swiftly and comprehensively when they occur.

This section of the report compares the potential impact of malware to the levels of antimalware compliance from approximately 350,000 workstation computers managed by Microsoft IT between January and June 2013. This data is compiled from multiple sources, including System Center Endpoint Protection, Network Access Protection, DirectAccess, and manual submission of suspicious files. Comparing the nature and volume of the malware detected on these computers to the level of protection they receive can illustrate significant trends and give insights as to the effectiveness of antimalware software and security best practices.

Antimalware usage

Real-time antimalware software is required on all user devices that connect to the Microsoft corporate network. Microsoft’s supported antimalware solution for users is System Center Endpoint Protection 2012 (SCEP). To be considered compliant with antimalware policies and standards, user computers must be running the latest version of the SCEP client, antimalware signatures must be no more than six days old, and real-time protection must be enabled.

Figure 79 shows the level of antimalware noncompliance in the Microsoft user workstation environment for each month in 1H13.

Figure 79. Percent of computers at Microsoft not running real-time antimalware software in 1H13

At an average of 99.5 percent compliance during the six-month period, the antimalware compliance rate at Microsoft is very high. In any network of this size, it is almost inevitable that a small number of computers will be in a noncompliant state at any given time. In most cases, these are computers that are being rebuilt or are otherwise in a state of change when online, rather than computers that have had their antimalware software intentionally disabled. Microsoft IT believes that a compliance rate in excess of 99 percent among 350,000 computers is an acceptable level of compliance. In most cases, attempting to boost a large organization’s compliance rate the rest of the way to 100 percent will likely be a costly endeavor, and the end result—100 percent compliance—will be unsustainable for any length of time.

Malware and unwanted software detections

Figure 80 shows detections of categories of malware and unwanted software at Microsoft in 1H13.

Figure 80. Malware and unwanted software detected by System Center Endpoint Protection at Microsoft in 1H13, by category

In this section, malware detections are defined as files and processes flagged by System Center Endpoint Protection, regardless of the success or failure of automated containment or remediation. Malware detections are a measure of attempted malware activity, and do not necessarily indicate that a computer has been successfully infected. (Note that the methodology for assessing encounters used elsewhere in this report counts unique computers with detections, an approach that differs from the methodology used here in which individual detections are counted. For example, if a computer encountered one malware family in April and another one in June, it would only be counted once for the purposes of figures such as Figure 26 on page 46. In the preceding Figure 80, it would be counted twice, once for each detection.)

Miscellaneous Trojans was the most prevalent category, with Adware in second, followed by Exploits and Viruses. Overall, the threat mixture seen at Microsoft is similar to the threat mixture encountered worldwide, as explored in the “Malware” section beginning on page 45.

Figure 81 shows the top 10 file types among threat detections at Microsoft in 1H13.

Figure 81. Threat detections at Microsoft in 1H13, by file type

Because web browsing was the most frequently used transmission vector for infection attempts at Microsoft in 1H13 (see Figure 82), the prevalence of HTML (.htm) and JavaScript (.js) files among threat detections is unsurprising. Malicious program files (.exe) and malware disguised as temporary files (.tmp, .temp) were also detected relatively frequently.

Transmission vectors

Examining the processes targeted by malware can help illustrate the methods that attackers use to propagate it. Figure 82 lists the top 5 transmission vectors used by the malware encountered at Microsoft in 1H13.

Figure 82. The top 5 transmission vectors used by malware encountered at Microsoft in 1H13

Rank Description
1 Web browsing
2 File transfer applications
3 File transfers in the operating system
4 Email
5 Non-Microsoft software

As noted earlier, web browsing was the transmission vector most commonly used by infection attempts detected on Microsoft computers in 1H13. (Transmission vector means the method by which the malware was delivered to the local computer—a web browser in this particular discussion, probably when the user visited a malicious or compromised webpage or attempted to download a malicious file. It does not necessarily mean that the malware targeted the web browser for infection.) File transfer applications, such as Microsoft OneDrive, Microsoft SharePoint, and peer-to-peer (P2P) applications were the second most commonly used transmission vector after web browsing. File transfers that use the operating system—Windows Explorer, in other words—were in third. Email, a popular transmission vector for attackers for many years, was fourth, followed by non-Microsoft software.

Malware and unwanted software infections

Because almost all of the computers at Microsoft run real-time security software at all times, most infection attempts are detected and blocked before they are able to infect the target computer. When SCEP does disinfect a computer, it is usually because its signature database has been updated to enable it to detect a threat that it did not recognize when the computer first encountered the threat. This lack of recognition may be because the threat is a new malware family, a new variant of a known family, a known variant that has been encrypted or otherwise repackaged to avoid detection, or because of some other reason. The MMPC constantly analyzes malware samples submitted to it, develops appropriate detection signatures, and deploys them to customers who use SCEP, Microsoft Security Essentials, and Windows Defender.

Figure 83 summarizes the threats that SCEP detected on and removed from computers at Microsoft between January and June of 2013.

Figure 83. Computers at Microsoft cleaned of malware and unwanted software in 1H13, by category

As with detections, Miscellaneous Trojans was the most common threat category to infect computers at Microsoft in 1H13, but the rest of the list shows significant differences. Adware, which was responsible for the second highest number of detections, actually resulted in the smallest number of infections, with adware being cleaned from only one computer companywide during the first half of 2013. Meanwhile, Trojan Downloaders & Droppers, which was one of the less frequently detected threat categories during the period, was responsible for the third largest number of detections.

Figure 84 shows the top 10 file types used by malware to infect computers at Microsoft in 1H13.

Figure 84. Infections and removals at Microsoft in 1H13, by file type

Of the four malware charts presented in this section, Figure 84 is potentially the most important because it provides information about threats that SCEP could not detect when they were first encountered—and therefore provides a clue about the areas in which malware authors have been focusing their efforts in recent months. The .exe extension, which denotes executable program files, was the most commonly used file type among successful infections, followed by .dll, which denotes dynamic-link library files. Malicious HTML and JavaScript files, despite their popularity among infection attempts as shown in Figure 81, were only responsible for a small number of actual infections.

What IT departments can do to minimize these trends

  • Evaluate management tools available on the market to develop a plan and implement a third-party update mechanism to disseminate non-Microsoft updates.
  • Ensure that all software deployed on computers in the environment is updated regularly. If the software provider offers an automatic update utility such as Microsoft Update, ensure that it is enabled by default. See “Turn automatic updating on or off” on for instructions on enabling automatic updates of Microsoft software.
  • Ensure that SmartScreen Filter is enabled in Internet Explorer. See “SmartScreen Filter: frequently asked questions” on for more information.
  • Use Group Policy to enforce configurations for Windows Update and SmartScreen Filter. See Knowledge Base article KB328010 on and “SmartScreen Filter and Resulting Internet Communication in Windows 8 and Windows Server 2012” on for instructions.
  • Set the default configuration for antimalware to enable real-time protection across all drives, including removable devices.
  • Move to a 64-bit hardware architecture.
  • Identify business dependencies on Java and develop a plan to minimize its use where not needed.
  • Use AppLocker to block installation and use of unwanted software such as Java or peer-to-peer (P2P) applications. See “AppLocker: Frequently Asked Questions” on for more information.
  • Implement the Enhanced Mitigation Experience Toolkit (EMET) to minimize exploitation of vulnerabilities in all manufactured software. See Knowledge Base article KB2458544 on for more information.
  • Strengthen authentication by using smart cards. See “Smart Cards” on for more information.
  • Use Network Access Protection (NAP) and DirectAccess (DA) to enforce compliance polices for firewall, antimalware, and patch management on remote systems connecting to corporate network. See “Network Access Protection” on and “Windows 7 DirectAccess Explained” on for more information.
Top of page Top of Page
Managing Risk


United States Change All Microsoft Sites



Was the information in this article helpful?